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INIROCUCTION 
This document describes the audit and recovery procedures” that 
are available in the Mark 8.9 and tater release of OMSII.- It 1s 
a generat descriotion of these features and a discussion of how 
they are implemented. The syntax for specifying Audit and 


Kecovery is described in the DASDL product specification (P.S. 
2219 0433) and an example of AUDIT/RECOVERY specifications is 
given in Appenaix 8 of this document. 


OMSII audit and recovery procedures enable users to safeguard and 
to reconstruct the integrity of their data bases by automatically 
providing a history of all changes to the data tase and by 
allowing a range of recovery procedures. 


RELATED DOCUMENTATION 


NAME | 7 — NUMBER 
DASDL nat | — -PaSe 2219 9433 
DMS Reorganization PeSe 2219 9540 
MCPII . “PeSe 2212 35462 
Sottware Operational Guide © | 1968731 


DEFINIIIONS UE IERMS 


This section contains definitions of the basic terms upon which 
the following ciscussion is based. 


WORDS MEANING 


AUDIT . Audit is a process of recording within a series 
of files (the audit trail) a complete history of 
all the changes made to a data base. Each data 


base has its own audit trail that cannot be 
shared with any other data base. 


TRANSACTION A sequence of data management operations 
required to ‘process one user request. 
Operations which change the data base can only 

be done during a transaction. 
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PROGKAM 


ABURT RECOVERY 


CLEAK/START 
RECOVERY 


SYNCPOINT 


CONTROLPOINT 


RESTART 


DUMP RECOVERY 


PARTIAL 
DUMP RECOVERY 


RECOVERY 


The process of restoring the integrity of a data 
base when a program is terminated in the’ middle 
of a transactions but the data management system 
continues to rune. . 


The process of restoring the integrity of a data 
base which was open and tetng updated when a 
systea failure occurred. 


A OMS-controlled time when no programs are 
updating a data base. No programs are in a 


transaction. 


A SYNCPOINT that also writes to disk any data 
base blocks or data. base controt information 
that has been updated and that has been in 
memory since prior to the previous CONTROLPCIAT. 


OA process by which the Data Management system 


provides information to an application program 
about the tast transaction that was completed 
before a failure which required recovery. The 
programs that are restarted by the operator 
after a CLEAR/START can use this information to 
commence processing transactions that were not 
completed. 


The process of using the “after” images tn the 
audit trail anda backup copy of the data base 
to rebuila the data base when it is found to be 
unusable because of storage failures. 


The process of recovering a subset of the files 
in a data base from a previous dump (Dump 
Recovery of a subset of the data base). 


The process of restoring the integrity of a data 
base that may have been corruopted or lost 
through a hardware or software failure. 
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FILE OUMP ~ A backup copy of part or att of the data hase 


created while the data base 15 not being used. 
The information necessary for DUMP recovery to 
enter the audit trail witl be automaticatly 
saved in the <datasbase-name>/DICTIONARY which 
should be included with each.dump. 
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AUDIT 


The audit trail is a sequence of “before"™ and "“after™ images 
resulting from changes written to the data tase» optus various 
control records. Pure retrieval requests are not audited. The 
audit trail is used to recover the data base after a Clear/Start>» 
to provide restart information to object programs» to reconstruct 
the data hbase when portions of the data base are tost due to 
hardware errorse and to back out transactions for atortea 
programs. 


TRANSACTIONS 


Restart after recovery is accomplished efficiently ty requiring 
some aid from the application programs. To minimize the coding 
required in the apptlicaticn programs» ‘transaction processing 15 
the basis for recovery and restart. — 


A transaction 18 any. sequence of data management operations 
starting with BEGIN@TRANSACTION and ending with END*TRANSACTION 
Cor ENO*TRANSACTION with SYNC). A sample program usINg 
transactions 15 included in Appendix C. | 


when BEGIN TRANSACTION is executed» the program enters 
transaction state. When END“TRANSACTION Cor END“TRANSACTION with 
SYNC) is executed» the program leaves transaction state. Also» 
all records tocked by the program are unlocked at the completion 
of END-“TRANSACTION. (The onty exception is that the current 
restart-data~set record is not untocked.) These transactions may 
not be nested. That is» EEGIN@“TRANSACTION returns an AUDITEREOF 
exception if the program was already in transaction state. Any 
error on BEGIN@TRANSACTICN other than AUDITERROR will teave the 
program not in transaction state... Any END@“TRANSACTION (Cor 
END“TRANSACTION with SYNC) returns an AUDITERRGR exception if the 
program was not in transaction state. Any exception other than 
AUDITERROR will leave the program in transaction state. 


END“TRANSACTION with SYNC forces a SYNCPOINT to occur after the 
transaction is completed but prior to returning control to the 
user program. .- This form should be used very sparingly to avoid a 
significant decrease in system throughput. On data bases which 
have the audit option set in their DASDLs the onty operations 
which are tegal when not in transaction state are OPEN» FIND» 
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MODIFY» FREE» CLOSE» CREATE» RECREATE and BEGIN“TRANSACTION. Any 
other operation witl return an AUDITERROR exception. If AUDIT is 
specified in BEGIN“TRANSACTION or END“=TRANSACTIONs the restart 
record (within the user program) is saved for possible restart. 
CA  STGRE on the restart data set is performed). If NO-AUOIT 1s 
specified» the restart record area is not saved. AUDIT is true 


by default for BEGIN“TRANSACTIONS NO-AUDIT ts the default for 
END=TRANSACTION. 


Prior to any SBEGIN or END*TRANSACTION with AUDIT» a CREATE or 
RECREATE of the restart-data-set must be executed if there is no 
locked current record for the restart-data7set. If this is not 
done» a NOTLOCKED exception wilt occur. 


AUDIT should never te set on both. BEGIN-TRANSACTION and 


END@TRANSACTI ON.» Only the tlast audited restart record 15 
available at restart times thus the BEGIN~TRANSACTICN will never 
be returned to the user. If restart information is updated 
during a transactions then AUDIT should be set on 
END-TRFANSACTION. Ntherwise AUDIT on etther but not both. Any 
transaction which does not set AUDIT on either is not 


restartable. 
RESTARI~VATA-SETS 


At restart time the data base wilt be recovered by the 
RECOVER/DATA~BASE program. It is the user"*s responsibility to 
restart the user program and to restore the necessary state for 
that programe The restart record 1s provided as a storage area 
for some of the state informations but it does not do such things 
as reposition non-data base input and output files» etc. 


For each data base that has the audit option specified» a 
restart~data"set is required. This data set follows the rules of 


normal disjoint data sets» with afew additions. The 
restart-data~set may not contain any embedded data sets or 
subsets. The restartrdatatset must be invoked by any COBOL 
program which contains a BEGIN-= or END*TRANSACTION. The 


restart"data~set record is used for program-dependent restart. 
The purpose of the restart record area is to hold the minimal 
amount of information that a program needs to restart after a 
Clear/Start or when transactions are aborted. Please note that 
the same size restartedata-set record is used for atl programs 
that run against a data base. The size of the restart data set 
must be targe enough to restart the program which requires the 
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most information to restart. 


It is intended that the user supply an item Cor items) uniquely 
identifying the restart areas for each different application 
program. typicatly»e the procram-id is used as the key to access 
the restart data set. There often will be a large alpha item 
which holds the actual restart information. Moving this item to 
a COBCL work area wilt allow each different program to access 
this information in the most convenient format. Alt COBOL verbs 
may be used to access the current restart record. 


Q2YNCPOINTS 


Transactions for different users may overlap. To allow maximum 
throughput (minimum record contention)» changed records neea not 
be tocked until the end of the transaction updating them. Thus» 
in generals it is not possible to back out a partial transaction 
without backing out all overlapping transactions (completed or 
not). In order to timit the amount of backing out required at 
recovery timer the SYNCPOINT was introduced. SYNCPOINT 1s a 
point when no programs are tin transaction state. 


Transactions are intended toa be of roughly equal duration. 
Otherwise» a disproportionately long delay may be imnosed upon 
programs executing short transactions at syncpoint time. This 


delay results from having to wait for the longer transactions to 
complete. 


Obvious sources of tong waits (such as "NO FILE" conditions) 
should be avoided when in transaction state. A single program 
hung while in transaction state means that»e eventually» no 
transactions against the data base wilt he able to voroceed»s 
because a SYNCPOINT must occur. 


The user may specify the frequency of syncnoints in terms of 
transactions. At each END*TRANSACTION» the system checks to see 
if it is time for a syncpoint. If it is time» then the system 
waits for all in-process. transactions to completes places a 
syncpoint in the current audit records» and initiates the I/0 on 
the audit record. Any jobs attempting to execute a 
BEGIN“TRANSACTION during this period are suspended» When the I/0 
completes» the syncpoint is completes» and all suspended jobs are 
reinstated. 


The user may force a syncpoint at any time by tnittating an 
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ENO-TRANSACTLON with SYNC. SYNCPOINT must complete before 


control is returned to the user program when this form of 
END“TRANSACTION is used. 


Close wilt always force a SYNCPOINT prior to returning to the 
user program. This eliminates the possibility of having to 
backout a close due to a program abort or Clear/Start. 


CONTROL POINTS 


In order to minimize physical I/05» changes to database tuffers 
are accumulated tn memory. Updated huffers are written to disk 
only when the memory space they occupy is required for another 
purpose. Thuse without a special mechanism to force writes oan 
all buffer Ss» Clear/Start recovery would have to go back to the 
datambase open to insure that all changes are reflected in the 
data base. . 


CONTROLPOINTS are the special mechanism to timit the amount of 
time needed for Clear/Start recovery. The user may specify the 
frequency of CONTROLPOINTS in terms of SYNCPOINTS. When a 
syncpoint completes» the system checks to see if this is also a 
controlpoint. If it is then special code is executed to insure 
that modified buffers and control information are written to disk 
at least every two control points. When all I/Os have completed» 
then a control point is marked in the audit buffers and then 
normal processing resumes. . 


When a buffer is updatede it is marked to show that. When the 
next CONTROLPCINT occurse if the buffer is still in memory» it is 
marked to show that. When the second CONTRKOLPOINT occurss if the 
buffer is still in memory» then it wittl be forced out to disk 
before the CONTROLPOINT wilt finish. Thus» Clear/Start recovery 
need not go back further than two CONTROLPOINTS from the end of 
the audit trail. If CONTROLPOINTS do not occur frequently» then 
it is likely that only frequently used records (such as coarse 
tables) wilt need to be flushed at CONTROLPOINT time. 
CInfrequently used records will tend to be overlaid during normal 
processing against the data base.) Updated available soace 
information (CNAHO'S) are flushed every other CONTROLPCINT also. 
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AUDTIASERTAL“ NUMBER 


The audit-serial-number performs a number of functions in toth 
auditing and recovery. Each time any tSlock of data is changed 
because of a data base operations the change is assigned a unique 
audit-serial~number. The initial serial number is a function of 
DASDL compilation. This is used to perform a version check on 
the first audit trail fite. The auditsserialt=number is 
incremented by one for each Evenge to the data base and uniquely 
identifies an audit record. 


Une of the primary rules on an audited data tase is that no 
updatea data base blocks may be written to disk untess its 
changes have been written to the audit trail. This guarantees 
that any change can be backed out if necessary. The 
auditsserial~number its used to insure that this rule is met. The 
system keeps track of the highest audit seriat numbers in the 


audit trail. Each block in memory has associated with it an 
audit serial number reflecting the last update that was done to 
that block. Any data case block with an audit serial number 


which is higher than that on the audit trait may not be written 
to disk. 


Alt tables in the data base Cindex sequential» index random and 
Lists) contain a space at the end of their block which contains 
an audit serial number. This audit serial number corresponds to 
the last change that was made to this tabte. The audit record 
which describes the change to the block also has associated with 
it a serial number. By comparing these serial numbers» the 
recovery program can telt if the change described by a given 
audit record has been doner and take the appropriate action. 
This prevents oerforming the same operation twice or not 
performing it at all. Blocks which contain data set records do 
not contain serial numbers because chanyjes to a data set record 
do not affect other records; and therefor?» a change may ~0be 
applied more than once with no effect on the data base. 


Each audit record concerning tables atso explicitly carries with 


it another audit serial number. This serial number is the audit 
serial of the hlock before the change described by this aucait 
record was made. This serial is needed for ClearsStart recovery 


when it as not known what blocks have been updated oan disk. 
Programwabort recovery atso uses this serial number when = backing 
out operations» although it does know that all blocks have been 
updated on disk. 
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If the recovery program finds a match between the serial numbers 
on a block and the audit record» it is sure the change described 
by the audit has been done. When it: backs this change out» it 
replaces the seriat number on the block with the previous serial 
number. The next time the block 18 updated the recovery pragram 
can again check for the equal condition. After the recovery 
program has backed out the changes back to the last SYNCPOINT 
before the Clear/Starts» att seriat numbers that it will see wilt 
then be in a known range. This allows for effective consistency 
checking which is important in the environment after a 
Clear/start. This same type of consistency checking is done for 
all types of recovery. 


AUDIT FILES 


The audit trail consists of a sequence of audit files which are 
named: a 


<data~base~name>/AUDI T<audit-fite-number > 


The auait file number starts at one and increases by one every 
time a new audit file is opened. when it reaches 999999 it 
“wraps around™ to zero and starts again. 


The audit trail should not reside on the system disk but on a 
user pack or tape» since it will be lost if the system disk fails 
and a Cold/Start is required. It also should not reside on the 
Same pack as any of the data base files. If that pack is 
damaged» then both the data base files and the audit files used 
to protect them will be lost. . 


Audit files with no data in them may be generated. This may 
occur when an irrecoverable 1/0 error is encountered during the 
write of the first block to an audit file or if a Clear/Start 
happens prior to the first block being written. These files are 
not removed since the recovery program automatically skips them» 
whether it 1s going forward or hackward. 
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~ANODIT ELLE EURHAT 


The audit file contains fixed-length tlocks with variable-length 
records. The Length of a block is set during DASDL compilation 
and each audit block contains a fixed-size trailer. The trailer 
contains two audit serial numbers. An audit seriat number 135 
needed for every record in the audit file; however» once it is 
established». it can be calculated from the previous record's 
serial. After the serial has heen established» the serials on 
the blocks become redundant information which is checked for 
consistency. _ 


The trailer contains a current block audit serial number» a dlock 
number and ae fulleblock bit. The current block audit serial 
number is that of the first record in the tlock. The block 
number is relative to the teginning of the file (9 is first). If 
the tlock is completely full» the fulleblock bit iS set to 
indicate that status. 


The traiter also contains the next olock's audit serial number 


and a pointer to the tast record. The serial is of the first 
record in the next block. It matches the current serial in the 
next block. The pointer is the distance in bits from the start 


of the block to the end of the last record in this block. lf no 
records end in this block» the pointer takes on the vatue_ of 
aFFFF a. This situation comes up when audit reccrds are tong 
relative to the size of the block. 


Several of these fields are used to insure that the end of the 
audit file is not lost. The end of the audit file can be found 
by reading the audit trail forward and checking that the btock 
number is correct» and also that the current block audit serial 
number of this block matches the previous block's next block's 
audit serial number. 


If either of these checks fails» then the end of file has been 
found. This applies whether auditing to disk or tape. The 
endsof-file pointer on a disk file is updated on aisk every time 
a new area is opened Cit points at the tast block in the new 
area) and when the audit file is closed Cit points at the tast 
block used). Thuse in finding the endrof-file on a disk  fite> 
the serial search can start at the end of the next to tast area. 
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The length of audit records is determined by the type of the 
record and the structure which the record references. The audit 
file must be read forward and backward and so the record type and 
structure number appear at each end of the audit record. 


Some record types are not associated with any particutar 


structure but describe the state of the data base. These only 
have arecord type. They include data base open» closep 


SYNCPOINT>» CONTROLPOINT and PROGRAM ABORT. The rest of the 
record types are associated with a particular structure and that 
structure number foltows the record type-, independent of the 
direction that the auditfite is being read. (For further 
-information on audit record types and formats» see Appendix A). 


Some information in the audit file is redundant at certain times 
during recovery. An example of this is the record type and 
structure number. at the “other”™ end of the record. This 


information is checked as oprotection against undetected 1/0 
errors. | 


IO ITO IIIT TO TOIT TOR RII TO hk 1. Audit record area. 


+e ee He FH OF 


* 2. Last record displacement 
* from start (16 bits) 
1 x 3. First Audit Seriat in 
* this block (32 bits) 
* 4. First audit serial in 
kak hkkkee next block (32 bits) 
* 2 * 5S. Full block indicator 
KKEEKKKKKEKKE KK KKAKEKKKKKKKKKEKKK Ci bit) 
3 * 4 * 5 * i) x 6. Block number» first block 
KKK KKKKEKEKK KKK KKK KKK KEK in file = 0 €32 tits) 
AN AUDIT BLOCK 
kk a KKK KKK 1. Record type (8 bits). 
* 1 * 


kk kkkkakk kk 


AN ALDIT RECURD (DATA BASE STATE) 
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te KK IK KEK KEKE KKK KKRKKEKKKKKEKKKKKK KK 
* 21 *© 2 &. 3 * 2 * 1 * 
RRR KERKKEKKKEKEKEKKR KK EKER KEK A KKK kakkkkkkk kkk kkk kk 


AN AUDIT RECORD (STRUCTURE OPERATION) 


1. Record type (8 bits). 
@- Structure number (8 bits). 
$3. fields depend on record type and structure number. 


AUDIT EXLE USAGE 


Audit files are of variable Length; their size is determined cy 
a number of factors. Initially» an audit file 1s opened at the 
first BEGIN“TRANSACTION after the data base is opened. The audit 
file is closed whenever any one of the following occurs: 


: The audit file fills up. 


N 
» 


An irrecoverable I/@ error occurs. 


36 The data base is closed by alt programs which have ever 
gone? through SEGIN“TRANSACTION. 


4. A PROGRAM ABORT occurs. 


Although nothing appears on the audit file to indicate it» the 
audit file is closed in a sense by a Clear/Start recovery. The 


exact way that this is handled is explained later in this 
section. 


In cases one and two» there will be no indication why the audit 
file has been closed. The program witl simply reach end of file. 
In fact» an audit record may be split across a file boundary. In 
cases three and four»s a record is put into the audit file to 
indicate what caused the file to close. 


When an audit file is closed by the MCPr some processing i158 done» 
so that the file may be used later. If the file ts a disk files 
the EOF pointer is adjusted so that it reflects the tast block 
that was written. If the file is a tape file» tapemarks and an 
ending label which contains among other things» the block counter 
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are written on to the end of the file. But when a Clear/Start 
occurss none of this can be done. To recover the data base 


immediately after the Clear/Start and make future dump recovery 
possibler some processing is done after the Clear/Start. 


Any tape files that were opened output get a tape mark written on 
them tefore they are rewound as part of the Clear/Start. The 
recovery program requires this tape mark be at the end of atl 
tape files. If the tape mark is not written for some reason (for 
instances» the tape is dismounted before the Clear/Start) then 
DMPALL or some other utility must. be run to make a new tape with 
a tape mark. . 


For disk files» the recovery program must fill in the endeof-file 
pointer. As the audit file 1s being written» the endrof-file 
pointer is always kept at the end of the area being filted up. 
Because of the way disk space is allocated and buffers are output 
from memory to disk» the good audit blocks are known. tf there 
is more than one area» recovery is assured for the last block of 
the next to the last area. That is» when the disk space for a 
new area is obtained» the last block in the prior area has been 
successfully written out. If an auditfile has only one arear 
then there may not be any good audit blocks in it. When the 
recovery program finds the tlast good block» it updates the 
end-of-fite pointer to the correct value. 


For future recoveriess some way is needed to identify that a 
Clear/Start recovery has taken place. The way this is done 15 to 
make the audit serial number one greater than it would noraaily 
pe. This 18s used for bhoth Oump recovery and Clear/Start 
recoveries which happen tmmediately after the present one. For 
Dump recoverys the recovery program opens the next file as it 
comes to the enc of the present one. That a Clear/Start has 
happened is apparent in the sertal-number check. The recovery 
program then must reopen the prior audit file and back out to the 
last SYNCPOINT. . 


If a Clear/Start happens just after the audit file opens» but 
betore the first block cets written out» the recovery program 
opens the prior file. If this file was closed due to a data base 
close or it had Clear/Start recovery run on it» there is no 
recovery that has to be performed. Since atl changes to the data 
base do not go out of memory until the audit block describing 
them is written out and no audit blocks have gone out» nothing 
needs to be backed out. Howevers if» for instances» the prior 
file was closed because it was full» then the changes described 
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in this prior’ audit file must be. backed out. To telt the 
differences» the serial number 1s again used. If the next block 


serial in the last audit block is the ‘same as that in the 
dictionary» then a good close has taken place. If the next block 
serial is one tess than that in the dictionary» then a 
Clear/Start recovery has taken place. Other values for that 
serial indicate a Clear/Start recovery is needed. 


AUDII EFFICIENCY 


Two audit buffers are always used when creating an audit file. 
The buffers are used alternately. The switch occurs when ever a 
buffer filts or a syncpoint occurs while auditing to tape. When 
an audit file fills up» any operations in process are atlowed to 
complete (Cbut no new ones may start)» filling the audit tuffers 
and» if necessary» overflowing into temporarily allocated 
buffers. The audit file is cthosed and a new audit file is 
opened» preserving the FI6 and audit buffers through close and 
open. If necessary» the current buffers that are full» and any 
overflow buffers» are written out to the new audit file. At the 


completion of these I/Os» the data base operations are allowed to 
commence. © a3 = 


Audit efficiency is determined by two critical parameters: — the 
frequency of SYNCPCGINTS and the file's btocksize. =©To keep the 
speed from deteriorating excessively when auditing» the audit 
trail must have a targe effective blocking factor. Too smatt an 
audit fite blocksize wilt prevent this» as wilt frequent 
SYACPOINTS. (The audit buffers are flushed at SYNCPOINT time, 
and the DMS routines are inhibited until the writes complete). 
Un the other hand» if SYNCPOINTS occur infrequently» many 
transactions may be backed out during Ctlear/Start recovery or 
when aborting a transaction. Also» a targe audit file blocksize 
implies that more memory is required for audit buffers and _ for 
data buffer spacer Since ufdated buffers may not be overtaid 
(written to disk) until the corresponding audit entries have been 
written to the audit trait. When auditing tc tapes if the. 
blocksize is larger than the audit information recorded during a 
SYNCPOINT» the extra space does not get used. 


For data sets» record images are audited; and for 
index=sequential»s index random and tists» table entry changes are 
audited. Logicat audit records may te split across one or more 
ohysical audit blocks. These techniques cause a considerable 
reduction in the amount of data which might otherwise be written 
to the audit trail. 
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A/C ERRORS WHILE AUDITING 


During an audit» if an I/0 error occurs while atteapting to write 
to the audit trail and the normat MCP retries are not successful» 
the current audit file is closed and the next one opened. The 
write is then retried. The data base is tocked against update 
until the audit block is successfully written. If tape is the 
audit medias it should be copied when the tast block of an audit 
tape had awrite parity. The recovery routines need a copy of 
the tape with a tape mark at the end and no faulty areas. 
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RECOVERY 


When an event has occurred that compromises the integrity of an 
audited data base» a program is run to make the data base 
trustworthy aqaine This . section describes that program 
CRECOVER/DATAeBASE) and some of the resources it. uses to 
accomplish its job. 


A data hase may lose its integrity in a number of ways. Three 
posstbilittes are: : . 


le The loss of the disk that any part of the data base was 
stored on. 


Ze A failure of the hardware or software while the data case 15 
being updated such that a Clear/Start is required. An 


unknown amount of changes to the data base may be trapped in 
memory in this cases. 


3. The failure of a program that was in transaction state (Cand 
was potentially capable of changing the data base) to 
successfully leave transaction state. 


These types of failures are handled by the recovery orogram = and 
are referred tore respectively» as: 


1. Dump or Partial=-dump recovery 
2e Clear/Start recovery 
3. Program~abort recovery 


Note: The types of failures are ranked in order of their 
seriousness» i.e.» the effort and processor time to 
recover from the error. The loss of disk (Possibility 1) 
is the most serious and may include Program~Abort recovery 
as part of a Dump recovery. 


A software failure may cause either a program or system 
failure. If they occur at the same timer a Clear/Start 
recovery (the more sertous failure) is required. 
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RECOVERY INI TTATLON 


Recovery begins when the RC control message is entered upon the 
consote printer or CRT. The RC control message executes 
RECOVER/DATA.BASE> providing the necessary tabel equation. 
RECOVER/DATA-BASE must reside on system disk at the time RC is 
used. The syntax of RC is defined as: ; 


SYNTAX 
RC ==" <data-base-name> “*""-22%° oem ewe mem w nme meee ee wen>> 
! { 
f--- ON -=- <pack=-name> <->! 
> eo eee ee we ew ewe cow ew en nee cece ne neee ween cen e wenn >¢ 


[<ee eww cane » anna ee we otal | 


i--- <file-name> ~*--->] 


The RC message zips the execution of the data base recovery 
program and the. userssupplied <datasbase-name> identifies the 
name of the data base that is to be recovered. The type of 
recovery to be done is automatically defined by the information 
in the data base dictionary on the status of the data base. 


RC allows an optional <pack-id> for those data bases where the 
dictionary resides on a user disk as well as an optional 
file-list to indicate dump recovery of the specified data base 
files only. The <file-identifier>s are put into a parameter file 
similar to a LOAD-DUMP file. The address of this file is passed 
to the recovery program anc Switch 4 is set to "1" (SW4=1) by the 
MCP to indicate recovery of a partial data base. There 15 no 


file list required for Clear/Start» ahort recovery,» or full-dump 
recovery. 
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TYPES QE RECOVERY 


The simplest failure from a recovery point of view is 
Programu=abort recovery. The recovery program need onty back out 
all the changes made to the data base from the last SYNCPOINT or» 
if there has not been a SYNCPOINT since the data base was opened» 
then to the data hase open. 


Clear/Start recovery involves backing out all the changes since 
the last SYNCPOINT and then going back two CONTROLPOINTS and 
making sure that all changes to the data base that were done in 
this interval are reflected in the data base. 


Dump recovery requires that the previous copy of the data tase» 
and the audit files writter since that copy was taken» be loaded 
to disk. The recovery program applies the audited changes» i.e.» 


the “after™ images» to the previous database.. The recovery 
program orocesses these images in the same way the OMS program 
originally processed then» with the exception that when a 


Clear/Start is encountered on the auditfile» the recovery program 
only has to back out changes since the tast SYNCPOINT. Any 
changes done before the tast SYNCPOINT have been written to disk 
by the recovery programe 


Partial-dump recovery allows the user to perform Dump recovery on 


a subset of the fites in the data base. © A backup copy of only 
those files to be recovered and the old Dictionary are loaded. 
The old Dictionary 15 Loaded under  . the name 
<datacrtase-name>/OLD.DICT. The current Dictionary must remain 
under its proper name. Dump ‘recovery is performed on the 
specified files until they are up to the tevel of the current 
Dicttonary. “At that time Clear/Start recovery or Proaram-abort 


recovery will be performed if necessary. 
CLEAR/START RECOVERY 


When the first update on the data base occurss a bit (boolean) is 
$et cn in the <datatbase-name>/DICTIONARY. This bit 1s turned 
off when the data base is closed for the last update program. On 
the first open of the data base» if this bit is on» the data base 
was not closed properly (e.g-» there was a Clear/Start without a 
successful data base close). Clear/Start recovery is requested. 
Alt data management jobs will be suspended by data management 
UPEN until recovery is successful. 
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Recovery occurs tin four phases: 
le The end of the audit trait is found. 


a The audit trait is read backward to the Last SYNCPCINT. 
The “before” images are used to back out all changes 
since the last SYNCPGINT. 


3e The second CONTROLPOINT from the end of the audit trail 
is founds and the audit trail is. scanned forward from 
this point. The “after” images are used to insure that 
all transactions before that tast SYNCPOINT are 
completed. The restart areas for the tLast comoleted 
transactions are saved in the restart data set. 


he The audit file is terminated> the data base is 
unlocked» and recovery is complete. . 


Although Clear/Start recovery is requested automatically by the 
first data base OPEN executed after a Clear/Start» the operator 
may safely run it at any time. If recovery is not needed» the 
recovery program wilt ask for a nonexistent audit file. The 
operator should respond that it is not available and recovery 
will terminate. | | 


PRUGRAM ABORT 


The locking of records in OMSII is designed to maximize the 
potential for multiorogramming against the data base and hence, 
total throughput. Thus» changed records need not be held tocked 
until the end of the transaction which changed them. A partial 
transaction cannotr in general, be backed out without 
invalidating other transactions that were occurring at the same 
time. One transaction may have updated the data dase with data. 
created by the aborted transaction. Thus» an attempt to abort a 
single transaction may affect att programs currently running 
against the data base. For this reason» transactions should be 
abortea only when absolutely necessary. Exolicit syntax to 
invoke the abort transaction process is not provided. The abort 
transaction function 15 implicitly invoked when a program 
terminates and forces a close on a data base while in transaction 
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state. Program termination outside of transaction state does not 
require recovery» howevers the restart record is saved. 


The abort transaction process wilt force a SYNCPOINT before 
performing the abort. As soon as alt programs are out of 
transaction state» the SYACPUOINT occurs and a “pseudo” close is 
performed. All updated blocks in memory are written to disks all 
control information is written to the <data~base~name>/DICTIONARY 
and the audit file is closed. Any programs attempting to access 
the data base will. be hung "WAITING DATA BASE RECOVERY™. 
RECOVER/DATA.BASE wilt be executed by the MCP. for Program-abort 
recovery» the “before” images in the audit trail will be used to 
back out all transactions since the Last SYNCPOINT. The restart 
areas for the Last completed transaction will be entered in the 
restart data set. 


When the recovery is complete» RECOVER/DAT As BASE issues a special 
communicate to the MCP.. This communicate updates the necessary 
information in the <data-base~name>/DICTIONARY. 


If any other programs were accessing the data base at the time of 
the Programmabort» then a “pseudo” open 1s. performed. The 
necessary <datacsbasesname>/DICTIGNARY information is updated in 
memory and all the affected programs will be restarted. Affectea 
programs will be informed that some of. their transactions have 
been backed out by an ABORT exception returned by their next 
execution of BEGIN“TRANSACTION or CLOSE following the abort. 
when this occurs» the affected programs shoutd retrieve their 
restart record from the restart data set to aid in redoing their 
backed-out transactions. 


The paths of all programs currently using the data hase are 
marked as undefined at the completion of Program~=abort recovery. 


QUHP RECOVERY 


Dump recovery (Cor RECONSTRUCTION) may be executed any time the 

data hbase 18S not active. Prior to executing the recovery 

programe a good version of the data base should be toaded to the 

system. Both the cictionary file and alt of the data files which 

have teen updated since this version was created should also be 

toaded. Alt audit files created after this version must be 
available when requested. 
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The recovery program will apply atl of the "*after”™ images on the 
audit trail to the data base. It will continue until it finishes 
the last audit file (the operator cetls the recovery program that 
there are no more audit files) or an I/N error is encountered. 
If an I/0 error is encountered or an audit file is unavailable, 
the data base will be recovered to that points» att further audit 
files should. be destroyed and all processing from that point must 
be resrun. The RESTART Data Set will contain the normat restart 
‘information for programs that were runnincec at that point. If any 
of the audit files were terminated with a Clear/Start or a 
Program-abort>, the normat Program-abort handling is invoked. 
Upon completion of Program=abort» dump recovery is resumed with 
the next audit file. 


PARIIAL“OUMP RECOVERY 


If a subset of the files in a data base (excluding the 
dictionary) have been tost or corrupted» the user may request 
that onty those files be recovered from a previous dump through 


an RC message which specifies a List of the <file-name>s. The 
dictionary from that dump must be toaded to disk under the name 
<datasbase=name>/OLD.DICT. Recovery will use the old dictionary 


as the source of the file records of the files to be recovered as 
well as the audit FP8 and the audit serial information (Cor any 
other information). Dusp recovery 1s performed on the specified 
files until they are up to the current dictionary level. At that 


time» Clear/Start or Programmabort recovery wilt be performed on 
the full data base if needed. 


“UNSUCCESSFUL RECOVERY 


RECOVER/DATA-BASE Goes extensive integrity checking in an attempt 
to preclude or identify corruption in a data base. A side effect 
is that recovery is not restartable with this checking. when it 
is necessary to rerun recovery» the RC message is again entered, 
but with Switch 3 set to one (SW3=1) in order to reduce the 
integrity checking. The data base should still be intact» but 
recovery is not likely to detect previously existing corruption 
in this mode. If Program-abort or Partial-dump recovery or. 
Clear/Start recovery continues to fails DUMP recovery may be 


successful. A backup copy of the data base should be loaded and 
recovery started. . 
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IQ ERSOR LURING RECOVERY 


The control information of each audit block contains. the audit 
block number. It increases by one for each audit block written. 
{tf it ever increases by more than one for two consecutive blocks» 
one or more blocks of the audit may have been lost. The recovery 


routines check for this condition. Any 1/0 errors white 
attempting to read the audit trail will. cause either incomplete 
or unsuccessful recovery. Incomplete recovery occurs on dump 


recoverys where on detecting an I/0 error on the audit trails the 
recovery program will back out to the last SYNCPCINT. 
Program=abort recoverys», Clear/Start recovery» and Partial=dunp. 
recovery terminate unsuccesfully when they encounter an audit 
trail I/0 error. 


I/G errors on data hase fites atways result in unsuccessful 
recovery. : 


Note: Copying the audit tape will NOT hetp if there is a faulty 
area in the middle cf an otherwise good audit tape. (CALL 
information after the faulty area will be tost). 
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APPENDIX At ANOIT RECORD FORMAT 


Audit records are variable length and variable format. The key 
to the length and format of the record is the type field which is 
the first item of each record. Each record must be capatte of 
being traversed in both a forward and a tackward direction. For 
this reason each record which is longer than just a type field 
will atso end iin the type field... There are two basic types of 
audit records: Control Records and Data Records. 


CONIRSL RECORDS 


The control records consist only of a type field. © Gn control 


recordss the first digit of the type field is @Ba. These records 
ares | 


TYPE. MEANING 

asia — SYNCPOINT 

aB2a CONTROLPOINT 
aB3@ DATA BASE CLOSE 
apaa DATA 8ASE OPEN 
aB5 a PROGRAM ABORT 


DATA RECORDS 


The data records are grouped into classes. The first digit of 
the type indicates the class. Immedtatety following the type 
field is an 8"bit structure number. The records always end with 
the 8-bit structure number followed by the %-bit type field. The 
generat format is? 


TYPE = STRUCTURE = DATA CVARTABLE) = STRUCTURE = TYPE 


The specific records and their contents are: 
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DATA SET: 


a1Ma DATA 
RECORD AFTER 
IMAGE 


alla -~- DATA 
RECORD BEFORE 


IMAGE 


aiza DATA 
RECORD BEFORE 
AND AFTER 
IMAGE. 


INDEXES: 
a2Ng -- 
TABLE ENTRY 


aelaq REMOVE 
TABLE ENTRY 


a2ca INDEX 
SEQUENTIAL 
ROQGT 


a23a INDEX 
SEQUENTIAL 
KEY CHANGE 


INSERT 


CONTENTS 


PREVIOUS AUDIT SERIAL 


BLOCK LOGICAL ADDRESS 


DATA RECORO NUMBER 
NEW DATA RECORD 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADDRESS 
DATA RECORD NUMBER 
OULD DATA RECORD 


PREVIOUS AUDIT SERIAL 


- BLOCK LOGICAL ADDRESS 


DATA RECORD NUMBER 
OLD DATA RECORD 


NEW DATA RECORD 


PREVIQUS AUDIT SERIAL 


BLOCK LOGICAL ADDRESS . 
TABLE ENTRY NUMBER 


NEW TABLE ENTRY. 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADDPESS 
TABLE ENTRY NUMBER 
OLC TABLE ENTRY 


NUMBER 


NUMBER 


NUMBER 


NUMBER 


“NUMBER 


PREVIOUS AUDIT SERIAL NUMBER 


BLOCK LOGICAL ADDRESS 
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LENGTH 


BIT(32) 
BIT(24) 


—BITCB8) 


“BITCSTR. 


BIT(32) 


OLD ROOT TABLE LOGICAL ADDRESS 


NEW ROOT TABLE 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADDRESS 
TABLE ENTRY NUMBER 
OLD KEY 

NEW KEY 


NUMBER 


LOGICAL ADOKESS 


BIT(24) 


BIT(B) 
BITCSTR 


BIT(32) 
BIT(24) 
BIT(8) 


BITCSTR. 


BITCSTR 


BIT(32) 
BIT(24) 
BITC12) 
BITCSTR 


BIT(32) 
BIT(24) 
BIT(12) 
BITCSTR 


BIT(32) 
BIT(24) 
BITC24) 
BIT(24) 


BIT(32) 
BIT(24) 
BITC12) 
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RECORD.SIZE) 


eRECORD.SIZE) 


DATAeSIZE) 


eDATA’*SIZE) 


eFECORD.SIZE) 


eRECORD.SIZE) 


BITCSTRKEY-SIZE) 
BITCSTRKEY. SIZE) 
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TYPE & MEANING 


CONTENTS 


BLGCK CONTROL FIELDS: 


a32a -- SET. 
BLOCK TYPE 


a3ia “= CHANGE 
TABLE NEXT 


a32a -- CHANGE 
TABLE FRIOR 


33a -°- SET 
TABLE NEXT & 
PRIOF 


LIST: 


a4naq -- 
IMAGE OF 
CONTROLINFO 


BEF ORE 


a41Q =~ 
IMAGE CF 
CONTROLINFOG 


AFTER 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADDRESS 
OLD BLOCK TYPE © 
NEW BLOCK TYPE. 


PREVIOUS AUDIT SERIAL 


BLOCK LOGICAL ADDRESS 
OLD TABLE NEXT 
NEW TABLE NEXT. 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADDRESS 
OLC TABLE PRIOR 
NEW TA8LE PRIOR 


PREVIOUS AUDIT SERIAL 


BLOCK LOGICAL ADDRESS 
ULD TABLE NEXT 
OLC TABLE PRIOR 
NEW TABLE NEXT 
NEW TABLE PRIOR 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADDRESS 
LIST TABLE NUMBER 


OLOCONTROLINFG 


PREVIQUS AUDIT SERIAL 
BLOCK LOGICAL ADDRESS 
LIST TASLE NUMBER 
NEWCONTROLINFO 


NUMBER 


NUMBER 


NUMBER 


NUMBER 


NUMBER 


-NUMBER 
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LENGTH 


BIT(32) 
BITC24) 
BIT(2) 


—BITC2) 


B1T(32) 
BITC24). 
B1T(24) 


BITC24) © 


B1TC32) 
BITC24) 
B1T(24) 
BIT(24) 


BITC32) 


BITC24) | 


BITC24) 
BITC24) 
BITC24) 


BIT(?4) 


BITC32) 
BITC24) 


BIT(8) 
BITC72) 


BITC32) 
BIT(24) 
BITCce) 

BIT(72) 
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a42a -~ INSERT 
LIST RECORD 


q4$a -- REMOVE 
LIST RECORD 


a449 "= REMOVE 


LIST RECORD 
AND DELETE. 


@45a “=~ STORE 
LIST TABLE AND 
INSERT LIST 
RECORD 


4463 <= CHANGE 
LIST RECORD 


CONTENTS 


PREVIQUS AUDIT SERIAL 
BLOCK LOGICAL ADDRESS 


LIST TABLE NUMBER 


LIST RECORC NUMBER 


NEW RECORD 


PREVIOUS AUDIT SERIAL 
BLOCK LOGICAL ADDRESS. 


LIST TABLE NUMBER 
LIST RECORD NUMBER 
OLC RECORD : 


PREVIOUS AUDIT SERIAL 
. BLOCK LOGICAL ADDRESS. 


LIST TABLE NUMBER 


OLC CONTROLINFO & OLD 


PREVIOUS AUDIT SERIAL 


NUMBER 


NUMBER 


NUMBER 


RECORD ~ 


NUMBER 


BLOCK LOGICAL ADDRESS © 


LIST TABLE NUMBER 


NEW CONTROLINFCG & NEW 


PREVIOUS AUDIT SERIAL. 
BLUCK LOGICAL ADDRESS 


LIST TABLE NUMBER 


LIST RECORC NUMBER 


OLD RECORD 
NEW RECORD 


RECORD 


NUMBER - 


An 


COMPANY CONFIDENTIAL 
a1e0o/ai7ao OMSITI AUDIT AND RECOVERY 


Se 22719 9532 (C) 


LENGTH 


BITC32)° 

BITC24) 

BITC&) 

BIT(8) 
BITCSTRLENTRY-SIZE) 


BIT(32) 
BITC24) 
BITC8) 


BITC8) 


BITCSTR.ENTRY.SIZE) 


BIT(32) 
BIT(24) . 


 BITC8) 


BITC72 4+ STR.E 


NTRY 
oe SIZE 


BITC32) 


BIT(24) 

BITCB) 

BIT(72 + STReENTRY 
~ SIZE) 


BIT(32) 
BIT(24) 
BIT(12) 


BITC8) 


BITCSTReDATA-SIZE) 
BITCSTR.DATA.SIZE) 
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IYPE & MEANING CONTENTS LENGTH 
LIST HEAD: 3 . 
Note: The parent recora is being audited 
a50qa “- LIST. PREVIOUS AUDIT SERIAL NUMBER BIT(32) 
HE AX) AFTER BLOCK LOGICAL ADDRESS. BITC24) 
IMAGE DATA RECORC NUMBER (PARENT BIT(12) 
IS A DATA SET) OR 
LIST TABLE. NUMBER CPARENT 
IS A LIST) 7 
EMBEODED LIST HEAD OFFSET BIT(16) 
FILLER (VALUE= 0) CPARENT IS BITCa) © 
A DATA SET) OR | 
LIST RECORD NUMBER: CO SSENT 
IS A LIST) | 
NEW LIST HEAD BIT¢C64) 
a5la -- LIST PREVIOUS AUDIT SERIAL NUMBER BITC32) 
HEAD BEF ORE BLOCK LOGICAL ADDRESS BIT(24) 
IMAGE DATA RECORD NUMBER CPARENT BIT(12) 
IS A DATA SET) OR | 
LIST TABLE NUMBER CPARENT 
IS A LIST) 
EMBEDDED LIST. HEAD OFFSET  BIT(16) 
FILLER (CVALUE=9) CPARENT Ts BITC) 
DATA SET) OR 
LIST RECORD NUMBER (PARENT 
IS A LIST) 
OLD LIST HEAD BITC64) 
RECORD ALLOCATION: 
a6%9qQ == UPDATE PREVIOUS AUDIT SERIAL NUMBER BIT(32) 
NEXT AVAILABLE SLOCK LOGICAL AODRESS BIT€24) 
AND HIGHEST OLD NEXT AVAILABLE BITC32) 
OPENED | NEW NEXT AVAILABLE BIT(32) 
a61qd =~ UPDATE PREVIOUS AUDIT SERIAL NUMBER BITC 32) 
NEXT AVAILABLE BLOCK LOGICAL ADDRESS BIT(24) 
OLD NEXT AVAILABLE BIT(@32) 


NEW NEXT AVAILABLE 


BIT(C32) 


BURRCUGHS CORPORATION 


COMPUTER SYSTEMS GROUP - 


SANTA BARBARA PLANT 


Type & 


a62q “7 


 @63a == GPEN 
NEW AREA . 


INDEX SPLITS & 


a@709 °° INSERT 
INTO FRONT OF | 
TABLE 


a71a == INSERT 
INTO BACK OF” 
TABLE 


g72a “=. REMOVE 
FROM FRONT OF 
TABLE 


a73a “= KEMOVE 
FROM BACK OF 
TABLE 


2 MEANING 


RETURN. 
NEXT AVAILABLE. 


CONTENTS 


PREVINUS AUDIT SERIAL NUMBER 


BLOCK LOGICAL ADDRESS 
NEW NEXT AVAILABLE 
OLD NEXT AVAILABLE 


AREA NUMBER ~ 


COMBINES: 


PREVIGUS AUDIT SERIAL NUMBER 
BLOCK LOGICAL ADDRESS 
NUMBER OF ENTRIES TO nee 


“SPLIT ENTRIES 


NUMBER OF ENTRIES TO MOVE 


PREVIOUS AUDIT SERIAL NUMBER 
BLOCK LOGICAL ADDRESS 

NUMBER OF ENTRIES TO MOVE 
SPLIT ENTRIES 


NUMBER CF ENTRIES TO MOVE 
PREVIQUS AUDIT SERIAL NUMBER 
BLOCK LOGICAL ADDRESS 

NUMBER OF ENTRIES TO MOVE 
SPLIT ENTRIES © 


NUMBER OF ENTRIES TO MOVE 


PREVIOUS ALDIT SERIAL NUMBER. 


BLOCK LOGICAL ADDRESS. 
NUMBER OF ENTRIES TO MOVE 


COMBINE ENTRIES 


NUMBER OF ENTRIES TO MOVE 
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LENGIH 


BITC32) 
BIT(24) 
BIT(32) 
BITC32) 


BITCB) 


BITC32) 


BIT(24) 
BITC12) 


«BITCH ENTRIES TO MOVE 


* STR-RECORD.SIZE) 
BITC12) 


BIT(32) 
BIT(24) 
BITC12) 
BITC# ENTFIES TO MOVE. 

* STR-RECORD.SIZE) 


BIT(12) 


BIT(32) 


~—BITC24) 


BITC12) 

BITC4# ENTRIES TG MOVE 
* STR-RECORD.SIZE) 

BITC12) 


BIT(32) 

BIT(24) 

BIT(12) 

BITC# ENTRIES TO MOVE 
* STRRECORD.SIZE) 

BIT(L2) 
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APPENDIX 92 SAMPLE DASDL DECLARATIONS 


The following 1s a skeleton of a “sample DASDL for aéédata base 
using Audit and Recovery? 


100 TRANSACTIONS» 
106 SYNCPOINTS)3 


PARAMETERS CSYNCPOINT 
CONTROLPOINT 
OPTIONS CAUDIT): | 


RE STARTAREAS restart-data-set 

TC "TRANSACTION COUNTER BUMPED BY ONE DURING EACH 
TRANSACTION BY THE werk PROGRAM” — 

NUMBER (6) 


ALPHAID "UNIQUE ID eee EACH PROGRAM™ 


ALPHA (18)3 


USERINFO 


"INFO PROGS NEED TO. RESTART" 
ALPHA C240)3_ 


RESTARTSET SET OF RESTARTAREAS | 
. KEY IS CALPHAID)3 


AUDIT TRAILC 
FAMILYNAME = AUDITPACK»s 
AREAS = 19%,5 AREALENGTH = S59 BLOCKS 
BLUCKSIZE = 3000 BYTES); 


Ct 


BURROUGHS CORPORATION | COMPANY. CONF ICENTIAL 


COMPUTER SYSTEMS GROUP BLANN/ 81700 | OMSIT AUDIT AND RECCVEPY 


SANTA BARBARA PLANT | Pe Se 2219 9532 (C) 


APPENDIX C2 SAMPLE PROGRAM 


oe 


The following is a skeleton: of a restartable data management 
CO80L program. The program reads .an input tape. Each block 
contains enough information to update one member of the data 
management data set PERSCNNEL of data base COMPANYX. The 
updating of one member is a transaction. The point of restart 
code is to skip the blocks that have already been processed. 


NOTE: The cards with. an asterisk (*) in. the first column are 
generated from the data base description automatically by 
‘the COBOL compiler. 


IDENTIFICATION DIVISION. 


ENVIRONMENT DIVISION. 
INPUT*OQUTPUT SECTION. . 
FILE-CONTROL. 
SELECT TF ASSIGN TG TAPE. 
SELECT PRINT ASSIGN TO PRINTER. 


DATA DIVISION. 
FILE SECTION. 
FO TF. . 

01 BLOCKBUF. 


DATABASE SECTION. 
DB CCOMPANYX. | 7 | 
01 PERSONNEL INVOKE PERSONNEL. 


* e 

* z _ . 

OL RESTARTAREAS INVOKE RESTARTAREAS. 

* OL RESTARTAREAS DATA SET. : 

* RESTARTSET SET OF RESTARTAREAS KEY IS ALPHAIC. 


* n2 TC PIC 9(6). 
* G2 ALPHAID PIC X (18). 
* 92 USERINFO © PIC X€24G). 


WORKING*STORAGE SECTION. 


C2 
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77 BLOCKSIN PIC 9€5) COMP=1 VALUE 0. 
77 SKIPNUM PIC 9(5) COMP-1 VALUE O. 
77 BLOCK NUM PIC 9(€5) COMP-1 VALUE %. 
“7st PIC 9(5) COMP-1 VALUE 9. 

77 ABORTING PIC 9€5) COMP~1 VALUE 9. 


PROCEDURE DIVISION. 
THEONLY SECTION. 


DUMMYLABEL. 
OPEN INPUT TF. 
OPEN OUTPUT | PRINT. 
OPEN UPDATE ~ COMPANYX 


ON EXCEPTION GO DIE. en a 
MOCIFY RESTARTAREAS VIA RESTARTSET AT RESTAKRTALPHAIOD = "MYTO" 
ON EXCEPTICN CREATE RESTARTAREAS © ) 
MOVE "MYID"™ TO KESTARTALPHAID ELSE GO RESTARTED. 
MAINLOOP. 
PERFORM READIT. 
GO TO A*TRANSACTION. 


* P 
DIE.» STOP RUN. 
. 7 


READIT. 


READ TF AT ENO GO CLOSE-08. 
ADO 1 Tf) BLOCKSIN. 


* 


A“TRANSACTION. 
BEGIN“TRANSACTION RESTARTAREAS NO@AUDIT 
ON EXCEPTION IF OMSTATUS CABORT) 
GO ABORTED ELSE 
GO OIE. 
<data base operations to update a member be PERSGNNEL using 
the information in BLOCKBLF.> 
ADD t TO TC. © 
END“TRANSACTIGN RESTARTAREAS AUDIT 
ON EXCEPTION GO OIE. 
GO 0 MAINLOOP. 
RESTARTED. 
MCVE TC TO Ie 
MOVE 9 TO BLOCKSIN. 
PERFORM READIT i TIMES. 
GG MAINLOOP. 


Cs 


BURROUGHS CORPORATION. | : | COMPANY CONFIDENTIAL 
COMPUTER SYSTEMS GROUP - 81899/B81709 DMSIIT AUDIT AND RECOVERY 
SANTA BARBARA PLANT | P. 3. 2219 9532 (C) 
ABORTED.« 


MOVE L TO ABORTING-. 

MODIFY. RESTARTSET AT 
RESTARTALPHAID = "MYID" 
ON EXCEPTION IF OMSTATUS CNOTF OUND ) CREATE RESTARTAREAS 
GO MAINLOOP ELSE GO OTE. 


* BACKED OUT TO START OF PROGRAM. 


CLOSE TF RELEASE. 
OPEN INPUT TFe 
GO TO RESTARTED. 
CLOSE-0B. 
BEGIN-TRANSACTION RESTARTAREAS No- AUDIT 
ON EXCEPTION IF DMSTATUSCABORT) GO ABURTED 
ELSE GU OIE. 
DELETE RESTARTAREAS 
ON EXCEPTION GO DIE. 
END*TRANSACTION RESTARTAREAS NO AUOIT SYNC 
ON EXCEPTION GO DIE. 
CLOSE COMPANYX ON EXCEPTION GO DIE. 
<don*t have to worry about ABORT EXEPTION becuase sync 
on previous END= TRANSACTION prevents basing out any 
transact ions> 
STGP RUN. | 


Dei 
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APPENDIX D2 PROGRAM SHIICHES 


The recovery program uses the program switches for several 
functions. The use of each switch is described below. 


SWITCH 12 Any nonzero value causes the recovery program to 
- produce a printed trace of its operation. © This trace 
contains a formatted copy of each record orocessed, 
the address and data of each data base block read or 
written» and a notation of each major decision that 1s 

made or step that is started. 


SWITCH 23 Any nonzero value causes the recovery program to stop 
| and await user action whenever a major step is 


Started. There are four major steps» some of which 
are used in each type of recovery. © The four steos 
ares 


1. Process the audit trait forward to the end 


2e Process the audit trait forward a specified number 
of syncpoints : 


3 Process the audit trail backwara to the first 
~  syncpoint or beginning of this audit fite 


4. Skip backward on this audit fite until two 
. controlpoints have been found or the beginning of 
the file is reached. 


SWITCH 3% Any. nonzero value tells the recovery program to ignore 
: the flag that indicates recovery has already been 
tried. It also restricts the integrity. checking that 
can be done on dump recovery» partial dump recovery 
and program abort recovery. It should be used only 
when recovery must be restarted. This switch is 
interrogatea only at the start of recovery. 


SWITCH 4: Any nonzero value tells the recovery program that it 
is doing partial dump recovery. This switch should be 
set only by the MCP. This switch is interrogated only 
at the start of recovery. 
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SWITCH 5S: 


Pe. Se 2719 9532 (C) 


This switch is used in conjunction with Switch 1 to 
control the printed trace of the. recovery progran. 
Switch 2 -controts the invocation of the traces and 
Switch 5 controls the contents of the trace. If 
Switch 5=0» then the trace wilt contain the history of 
the changes to all = structures; if the switch is 
nonzero» then the user wilt be requested to supply 
(via the SPO) a list of the structures to be. traced. 
This switch is interrogated only at the start of 


recovery. 


Att other switches are not used by the recovery program. 
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